<!--
.. title: Security advisory: CVE-2017-9868
.. slug: security-advisory-cve-2017-9868
.. date: 2017-06-26 11:45:51
.. tags: Security
.. category:
.. link:
.. description:
.. type: text
-->

A vulnerability exists in Mosquitto versions 0.15 to 1.4.12 inclusive known as
[CVE-2017-9868].

If persistence is enabled, then the persistence file is created world readable,
which has the potential to make sensitive information available to any local
user.

Patches are available to fix this for Unix like operating systems (i.e. not
Windows): <https://mosquitto.org/files/cve/2017-9868/>

This will be fixed in version 1.4.13, due to be released shortly.

This can also be fixed administratively by removing world read permissions for
the directory that the persistence file is stored in. In many systems this can
be achieved with:

```
chmod 700 /var/lib/mosquitto
```

[CVE-2017-9868]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9868
